Audrey ANDAY*, Enrico FRANCESE*, Hugo C. HUURDEMAN*, Muharrem YILMAZ*, Dydimus ZENGENENE* Abstract

Size: px
Start display at page:

Download "Audrey ANDAY*, Enrico FRANCESE*, Hugo C. HUURDEMAN*, Muharrem YILMAZ*, Dydimus ZENGENENE* Abstract"

Transcription

1 BİLGİ Audrey DÜNYASI, ANDAY, Enrico 2012, FRANCESE 13 (1) et al. Information Security Issues in a Digital Library Environment: A Literature Review Dijital Kütüphane Ortamında Bilgi Güvenliği Sorunları: Literatür Değerlendirmesi Audrey ANDAY*, Enrico FRANCESE*, Hugo C. HUURDEMAN*, Muharrem YILMAZ*, Dydimus ZENGENENE* Abstract This paper aimed to explore the literature on security issues that digital libraries should consider in managing digital resources. Books on information security and network security were consulted as well as several databases such as ERIC, Ebrary, LISA, Science Direct, EbscoHost, ISI, Google Scholar, ProQuest, Emerald Insight, ACM were searched to understand what particular aspect of information security and privacy in digital libraries exist from Security in digital libraries is an issue of the most important, and should be considered carefully in creating policies and strategic plans of institutions wanting to set up a digital library. This paper focused on the four main streams that concerns security in the digital environment, namely: infrastructure, digital content, users and standards and legal issues. This literature review also built upon previous literature reviews, and is one of the few of its kind in the topic. Keywords: Information security, Digital libraries, Data protection Öz Bu çalışma dijital kütüphanelerin kaynakların yönetiminde göz önünde bulundurması gereken güvenlik sorunlarına ilişkin literatürü ortaya koymayı amaçlamaktadır. Bilgi Güvenliği, Ağ Güvenliği, Kişisel Gizlilik konuları üzerine yıl aralığını kapsayan kitaplar ve makaleler ERIC, Ebrary, LISA, Science Direct, EbscoHost, ISI, Google Akademik, ProQuest, Emerald Insight ve ACM gibi çeşitli veri tabanlarından taranmıştır. İncelenen literatürden elde edilen sonuçlara göre, bilgi güvenliği dijital kütüphaneler için son derece önemli bir konudur ve dijitalleşme sürecinde bir kütüphane, güvenlik politikalarını ve stratejik planlarını dikkatle göz önünde bulundurmalıdır. Bu araştırmada dijital ortamda güvenliği ilgilendiren Altyapı, Dijital İçerik, Kullanıcılar, Standartlar ve Hukuki Konular olmak üzere dört ana madde üzerinde durulmuştur. Bu çalışma ayrıca daha önceki literatür taramalarını da kapsamaktadır. Anahtar sözcükler: Bilgi güvenliği, Dijital kütüphaneler, Veri koruma * Master Students; International Master in Digital Library Learning

2 Audrey ANDAY, Enrico FRANCESE et al. Introduction Society has been increasingly dependent on information technology (IT) for several years now. In this Information Age, millions of users (or participants) access and exchange billions of objects of information content in complex work flow processes (e.g., commerce, learning, health care). The research community uses computer systems to perform research and to disseminate findings. Information sharing has been made easier and less expensive by Internet technologies and global networking infrastructures, but availability of such information systems comes at the expenses of higher risks. In the long run, information is not preserved, websites tend to disappear frequently and digital media become obsolete easily and there can be an abuse in the privacy of information. Moreover, the integrity of the systems could be compromised. Access control is often described as rules regulating how participants are allowed to access object and could also be viewed as information flow control because every access results in flow of information between entities (either or both participant and object) (Chen, Choo and Chow, 2006). The integrity and availability of all these systems have to be protected against a number of threats. Hackers, rival corporations, terrorists and even foreign governments have the motive and capability to carry out sophisticated attacks against computer systems (Patel, Qassim and Wills, 2010). Thus, security mechanisms appropriate for Internet-based, real-world applications should be a prerequisite. Unless an attack is successful or a system is compromised, security in general, intrusion detection (ID) in particular, is rarely noticed by management. When security fails and the notification is too late, only would managers consider viewing the security issue as visible as their organizational needs. Such crisis would finally open the sense of importance of security in any given system (Goodall, Lutters and Kondoli, 2009). Dorsish et al. (2004, p.391), mentioned in their paper that effective security solutions depend [ ] also on people s ability to understand them and use them as part of their work. Moreover, Birnbaum (2004), in his talk shared that in today s information-rich world, digital libraries would play an essential role and will assume central positions of even more significance in pervasive systems. They will not only serve as repositories of knowledge and information, and as the primary mechanism for its retrieval and distribution, but they will also be the focal point for the integration of information and scholarship across all boundaries of application, language, and media. Since they will also inevitably become the target of malicious attack by people seeking unauthorized information, and by terrorists seeking to disrupt the global information infrastructure and the physical infrastructures built upon it, it is both timely and essential to study the cyber security characteristics future digital libraries will have to support. 118

3 Information Security Issues in a Digital Library... BİLGİ DÜNYASI, 2012, 13 (1) Furthermore, Tyrväinen in 2005, as cited in Fox and ElSherbiny (2011), considered the security as an important issue in digital library design. Security weaknesses in digital libraries, coupled with attacks or other types of failures, can lead to confidential information being inappropriately accessed, or loss of integrity of the data stored. These in turn can have a damaging effect on the trust of publishers or other content providers, can cause embarrassment or even economic loss to digital library owners, and can even lead to pain and suffering or other serious problems if urgently needed information is unavailable (Fox and ElSherbiny, 2011, p.8). This paper reviews literature about security issues in the digital environment specifically what digital libraries should be aware of in the first place. Methodology The search strategy that was employed for this literature review involved searching printed and online materials. Books on information security and network security were consulted as well as several databases such as ERIC, Ebrary, LISA, Science Direct, EbscoHost, ISI, Google Scholar, ProQuest, Emerald Insight, ACM were searched to understand what particular aspect of information security and privacy in digital libraries exist from Several keywords used to search catalogues and databases include digital libraries AND security, security in digital libraries, information security in digital libraries, threats information security, wireless security, database security, system security ontology library, security AND libraries, security in libraries, privacy in libraries, information security, digital content security, information security AND legal aspects, information security standards, information security AND digital library, data protection law A very broad spectrum of articles that deals with the whole concept of security came out; so we decided to limit the articles to those that pertains to the four main streams that concerns security in the digital environment: 1) Infrastructure - This section focused on the importance of security applied in any system infrastructure that covers securing hardware and software, ensuring network security, and looking into Web vulnerabilities that can distract the smooth flow of communication and transfer of information in a wired or wireless environment. 2) Digital content - This section discussed how important it is to also ensure that digital content are secured in a digital environment and describes some of the steps that can be undertaken in order to recover important data and attain the real purpose of preservation. 3) User information security - This section illustrated some issues pertaining to the terms of security of systems, maintaining the confidentiality of users within a digital library environment i.e. their private information are kept in a trustworthy manner and is not used without their knowledge. 119

4 Audrey ANDAY, Enrico FRANCESE et al. 4) Standards and legal issues - This section provided an overview of the development of the different existing standards in ensuring security of any system which can serve as basis for formulation of polices and guide in setting up a system in digital environment. 1 - Infrastructure According to Lampson (2004), people have been working on computer system security for over thirty years and they have registered notable intellectual success. However, the security risk of millions of deployed computer systems is so high that a determined and competent attacker could destroy most of the information on almost any of these systems or steal it from any system that is connected to a network or even attack millions of systems at once. Library computers are not safe, they are physically vulnerable to theft, damage and destruction, but, most of all, they are vulnerable to attacks by a host of malware agents which include Trojans, viruses, worms, adware, spyware, pornware, keystroke loggers, password stealers and others (Zimerman, 2009). Hackers, viruses, worms, and trojan horses as external extrusions which libraries should be able to handle (Al- Suqri and Afzal, 2007). Computers are not safe because they have the most popular antivirus software; instead it is more dangerous to believe that one is safe when he/ she has antivirus software installed. There are criminals who specialize in targeted attacks, making it more difficult to handle the risk with the traditional antivirus systems (Zimerman, 2009). Given the value of information that they hold, digital libraries have to be worried about this problem. Danger is a multifaceted threat which faces every computing environment, however there are protection systems that have to be applied but some are too expensive for a library and they only help to minimize but are never perfect (Zimerman, 2009). In a library environment it is even harder since it is difficult to control behavior of many users. Lampson (2004) summarizes it all by his phrase security is pain, arguing that the threat of IT security does not seem very high until one is attacked, however implementation of security is expensive and takes time from hours of production even if it does not directly contribute to production. The pain is even higher in libraries where the output is a service which is usually offered free of charge. 1.1 Securing the Hardware Hardware security is the security of such equipment as computers, printers, monitors etc which libraries find indispensible in their day today functions especially in this digital era. There is need to keep such hardware in secure rooms under physical lock and key and an inventory system should be implemented for easy tracking. Control deters theft of property, unauthorized access to servers thereby preventing tampering with server settings, corrupting data, or gaining access to programs and confidential information (National Forum on Education Statistic, 2003). In order to maintain hardware security, it is important to implement strong physical security measures. 120

5 Information Security Issues in a Digital Library... BİLGİ DÜNYASI, 2012, 13 (1) Network security In a digital library...resources are accessed via the Internet and networks are playing a vital role in connecting these information sources (Singh, 2003). In the digital age availability of secure, efficient and cost effective networks of access, would be the core competency of the libraries. It would be vital for libraries to secure networks so that the integrity of data can be maintained (Al-Suqri and Afzal, 2007). Network equipment include hubs, routers switches and cabling. For the hardware that supports the network it is necessary to implement security measures that correspond to all other sensitive hardware equipment (National Forum on Education Statistic, 2003). Computer networks now exist as wired and/or wireless networks and security measures in these environments are different. Libraries tend to use wired networks for machines which are fixed in their premises. Wireless networks are used for connecting users who might be having their own mobile gadgets to connect to the network. To ensure security of physical networks, it is important not to allow users to install unauthorized network equipment, use secure passwords for root access, ensure proper cabling and cable protection (National Forum on Education Statistic, 2003). A wireless network is a network that uses high-frequency radio waves rather than wire to communicate between two nodes. The wireless network infrastructure has brought about better flexibilities in terms of geographical limitation as well as hardware and software accommodated. Mobile phones and other gadgets other than personal computers are joining the network realms which were previously the domain of personal computers connected through wires (Khalil, 2004). Wireless networks will be the standard mode for information access for both oncampus and classrooms connectivity. This technology is already helping students to interact with digital library systems on the net (Khalil, 2004). Wireless networks have however also brought with them a great degree of risks as far as network security is concerned. Unlike in the wired network, security in a wireless network is more of concern because network transmissions are available to anyone within the transmitter with the appropriate antenna, physical access controls like doors and locks do not help. Sniffing (intercepting) is much easier because the radio transmissions are designed to be processed by any receiver within the range and also that they have funny boundaries beyond the intended one (Gast, 2002). For that reason, the wireless networks is a double edged sword which possesses both high potential and high risks (Porter, 2002, p.16). Wired networks are also insecure since it is possible for an attacker to tap electromagnetic energy that is radiated by wired networks; however this is by use of sophisticated equipment and involves relative proximity to the cables unlike the wireless signal which can easily overlap across the intended boundaries (Porter, 2002, p.21). Due to the increase on the use of mobile gadgets, digital libraries are increasingly being accessed via wireless networks. That implies the need to consider investment in wireless network security if the integrity of information resources is to be maintained. 121

6 Audrey ANDAY, Enrico FRANCESE et al. 1.2 Operating system security The operating system is the underlying system on which application programmes run. Therefore, the choice of an operating system plays a critical role in ensuring system security. Operating systems ensure access to centralized resources including applications, access privileges can be granted or restricted thereby regulating the use of network resources. Some operating systems are easier to run yet they are less secure than those that might be difficult to run. In any case the system must be hardened or secured by removing unnecessary functions, restricting access and tracking changes and processes. There are several free open source operating systems available for free and proprietary operating systems for which libraries have to pay; however the cost of purchasing a system is not a guarantee for security. It is however possible to run a mixed computing environment where systems run on different operating systems but there is need for experience and high degree of expertise in administering such environments even though they guarantee better security (National Forum on Education Statistic, 2003). Libraries are therefore advised to consider establishing mixed computing environments even if the costs of maintenance are high. Database security Databases are very critical parts of the library information system as the key hosts of metadata, and other administrative information. Databases employ security systems as those of operating systems but users are assigned certain types of groups called roles. For example the head librarian and the library clerk have different roles in the system and that controls what each user can view or edit in the database. Database security can be maintained discretely or can be integrated with operating systems. That implies that users will require only one logon into the system. Database security mechanisms are effective if they are used in conjunction with proper security mechanisms implemented at the front end application like dynamic web pages (National Forum on Education Statistic, 2003). Databases have the capability to offer access to resources as defined by roles and profiles and should be based on the respective functions. A database should also have tracking features that can track when the database was accessed by whom and what changes took place. For instance; it must be possible to trace who added an article to the collection and when. Data transmission should be secured using protocols such as Secure Socket Later (SSL) or Secure Shell (SSH). SSL is a public key cryptography based confidentiality mechanism which is historically associated with web pages accessed via the secure hypertext transfer protocol (https) even though it can be used to encapsulate any protocol. Porter (2002) judges that SSL is best for protecting transaction based protocols such as web traffic and mail transactions. SSH is a secure replacement for commands such as rlogin, rcmd, and rshel. SSH also uses public key cryptography like SSL but does not rely on trusted authority to issue the public/private key pairs (Porter, 2002). 122

7 Information Security Issues in a Digital Library... BİLGİ DÜNYASI, 2012, 13 (1) Web application level vulnerabilities Despite the laws in European countries that mandate secure sites, many library websites have serious security flaws which render then vulnerable to attacks (Kuzma, 2010). From a research conducted in European countries, almost 80 percent of web related flaws were caused by web application vulnerabilities with the three main common types being: Cross scripting, Denial of Service and SQL injection. Major causes for these problems are pointed to be, lack of updating software versions, developers install the default software and forget the need to update, lack of consideration of security flaws, lack of upgrading software correctly and lack of effecting coding practice during designing and development (Kuzma, 2010). Cross-site Scripting Cross-site scripting is a security vulnerability that allows the injection of programming code by malicious third parties into web pages hosted on a server. This allows risks by allowing fishers or fraudsters to launch an attack without directly targeting or gaining access to a legitimate website. This allows unknowing and unsuspecting web visitors to see forms input and send data or to be exposed to malicious downloads on other content while viewing your website (Cyveillance, 2008). Denial of Service Denial of Service (DoS) is a type of attack that prevents access to network resources and this can be devastating and difficult to protect against and DoS involves flooding the network with traffic choking the transmission lines and preventing other legitimate users from accessing services on the network. Denial of access can come as various types of attacks at different layers of the OSI model but all leading to network flooding (Porter, 2002). SQL Injection SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input, in order to affect the execution of predefined SQL statements. It is a common threat in web applications that lack proper sanitization on user-supplied input used in SQL queries (Guimarães, 2009). Due to the increased need to offer computer aided web-based services, libraries must be aware of all these possible infrastructural threats and protect their data and the entire system. 2 - Data Security The core of any information system is the data contained in it: Libraries make no exception. With data we mean both the documents and the meta-information applied to them: OCLC (2006) reminds that For disaster prevention and recovery, all data 123

8 Audrey ANDAY, Enrico FRANCESE et al. (content and metadata) is considered of equal value. A secured system with corrupted data is useless; in the same way, the data storage within a frail infrastructure is weak and exposed to danger. System security and data protection go hand in hand, part of the same side in what Fox (2006) calls the two-front war. From one side we must protect our patrons, their privacy and confidentiality as well as their electronic devices. On the other hand there is the need to protect the digital content itself and the electronic infrastructure from abuse. 2.1 Background Fears The risks of digital preservation which libraries and archival institutions have to consider were foreseen since the end of the 1990s. Authors called for attention to these issues assuming dramatic tones, speaking of digital dark ages (Kuny, 1997) and a time-bomb for digital libraries (Hedstrom, 1998). The first author to claim risks for the digital preservation was Rothenberg (1995, p.2), who indicated the risk of format obsolescence as the main threat to the digital cultural heritage: although its reproducibility make digital information theoretically invulnerable to the ravages of time, the physical media on which it is stored are far from eternal. [...] The contents of most digital media [...] become unusably obsolete much sooner, as they are superseded by new media or incompatible formats. Moving his steps from this article, Kuny raised several points which in part repeat the concerns pointed out by Rothenberg (1995): Enormous amounts of digital information are already lost forever. Information technologies become obsolete very quickly. Document and media formats continue to proliferate. Technology standards will not solve fundamental issues in the preservation of digital information. Libraries will shortly see a demographic bulge of electronic material as the baby boom generation of authors and academics contribute material gathered during their careers. Much material will never make it into library collections for preservation because of increasingly restrictive intellectual property and licensing regimes. Archiving and preservation functions in a digital environment will increasingly become privatized as information continues to be commodified. Kuny shared two main concerns with Rothenberg (1995): The actual risk of obsolescence and the distrust for standards. The lack of faith in standards is due to the fact that commercial software vendors are not willing to play on. The challenge in preserving electronic information is not primarily a technological one, it is a sociological one (Kuny, 1997, p.4). 124

9 Information Security Issues in a Digital Library... BİLGİ DÜNYASI, 2012, 13 (1) Hedstrom (1998) looked at the standard issue with a different perspective. For her, the problem is that Digital preservation is constrained by the absence of established standards, protocols. In 1998 she just saw the situation as not mature enough. We will see in section 4 of this paper that since the time of Hedstrom and Kuny were writing, a lot of new developments happened in the field of standards. In this section we focus on the problems of data safety and preservation. 2.2 Obsolescence A definition of obsolescence is given by Pearson (2008). Reminding that A file format is a particular way to encode information for storage and use, he defines obsolescence as: the development of new format encodings that take the place of already existing formats in the marketplace of use; and the changes in the availability of presentation tools, generally (although not exclusively) in the direction of decreasing availability, for any particular file format (Pearson, 2008, p.91). According to Rosenthal (2010a), obsolescence has proved to be a minor risk: format obsolescence is a rare problem that happens infrequently to a minority of unpopular formats. Nevertheless, he proposes two solutions: a standard solution and an alternative one. The standard solution consists of migration: it is based upon public registries of format specifications and the creation of software which converts files in obsolete formats to usable files. A format registry is a repository for format representation information or, in other words, descriptive, administrative, and technical metadata about digital formats, including the definition of the syntactic and semantic characteristics of the registered formats. This metadata defines the significant properties of digital formats with regard to the long-term preservation of digital objects (Abrams, 2005, p.131). The alternate model is based upon emulation: the obsolete file is rendered in a replica of his original environment. Open-source technology is very important in order to create working emulators (Rosenthal, 2010b). Abrams (2005, p.129) notes that emulation differs from migration in the fact that the file is not manipulated but its integrity is kept at its original conditions. 2.3 Data security backup The main safety measure for the integrity of data is the backup (Whitman, 2003). Hadow (2009) clearly indicates backup as the main way to protect content ( The most reliable backups store the copied data off the premises, preserving it from physical damage. ). The OCLC Digital Archive Preservation Policy (OCLC, 2006, p.10) details a state-ofthe-art backup strategy. The main points can be summarized as: backups are made on tape support; data and metadata are treated together; operations are handled by specialized dedicated staff ( OCLC maintains staff solely dedicated to network and system security, including at least one Certified Information Systems Security 125

10 Audrey ANDAY, Enrico FRANCESE et al. Professional. ); backups are kept in secure off-site storage facilities ( All computer rooms are protected from fire by a halon gas fire suppression system. All computer rooms are climate-controlled with raised-floor environments ) whose access is strictly regulated ( Access privileges to the computer room are limited and are reviewed every three months. Each access is logged, recording information such as the staff person entering, the door entered, and the time ). The off-site facilities must meet the highest industry standards for safety and security. Rosenthal (2010b) shows how data storage has become easier and easier in the last years thanks to the development of technology and the lowering of the related costs: Storage is cheap, so if there is a chance the data could possibly be useful, we keep it. We know that storage isn t completely reliable, so we keep backup copies as well. Despite this, backup is not 100% reliable and easy to achieve. In the same article Rosenthal shows the difficulties related to the planning and cost of the backup systems: Our inability to compute how many backup copies we need to achieve a reliability target is something we are just going to have to live with. He also reminds that in the real world failures are inevitable, especially in the large-scale digital preservation projects required by today s institutions. In a different article of the same year Rosenthal (2010a) returns to the false claim that storage is free or low cost: again, at the scale of real digital preservation and with an appropriate number of copies this is certainly not true. Then it is often said that bit preservation is a solved problem, but at the scales and for the durations needed in digital preservation this is unfortunately not the case. In the backup era, this solution has a drawback: Ironically that ability to mirror and duplicate digital objects also becomes a liability when data is stolen that was not intended for public consumption (Fox, 2006). This aspect of digital information is seen as a potential flaw even by Kuny (1997), who notices how Digital collections facilitate access, but do not facilitate preservation, and by Hedstrom (1998) who claims that The two terms mass storage and long-term preservation embody a contradiction in the current state of affairs of digital library development, representing a time bomb that threatens the long-term viability. Maniatis et al. (2005) also point out the peculiarity of the backup strategies required by digital preservation projects. They make three starting points: Digital preservation systems have some unusual features. First, such systems must be very cheap to build and maintain, which precludes high-performance hardware such as RAID (Patterson et al as cited by Maniatis, 2005) or complicated administration. Second, they need not operate quickly. Their purpose is to prevent rather than expedite change to data. Third, without central control and in the face of possible interference from attackers or catastrophic failures of storage media such as fire or theft, must function properly for decades. 126

11 Information Security Issues in a Digital Library... BİLGİ DÜNYASI, 2012, 13 (1) Policies Data backups, just like all the security measures discussed in section 1, must be part of what we call disaster recovery plan. Fox puts it very plain: Having a disaster recovery plan is very important (2006, p.255). All the literature agreed that backup practice is nothing if not supported by a clear preservation policy, which involves also security and information literacy and staff training and education (Kouzma, 2010, and Balas, 2005). Whitman (2003) and Parkin (2009) also stress on the importance of policies for an efficient digital preservation plan. We examined two policies: OCLC Digital Archive Preservation Policy and Supporting Documentation (OCLC, 2006) and the report Digital Preservation Policies, prepared for JISC in 2008 (Beagrie, Semple, Williams and Wright, 2008). OCLC openly confirms the claims reported by Kouzma (2010, p.5): A preservation strategy must include more than just what can be achieved by good system back-up procedures. A strategy is needed also to ensure the long-term accessibility of digital content objects deemed to have enduring value. The JISC report is interesting also because it aims to be a model for further preservation projects. Our objective therefore has been to produce a practical guide for developing an institutional digital preservation policy (Beagrie et.al, 2008). The policies addressed the preservation problem in an organic way, embracing all the aspects of the institution: from the definition of the Principle Statement which guide the policy itself, to the connection with all other practices engaged by the institute, to the definition of the content and the practices to implement. 3 - User Information Security Computer systems have become an essential element of libraries. As patrons are using library systems, a large amount of transaction data about users is being recorded, and often stored in the systems. This development has severe implications for the security of user data. The already mentioned two-front war that is being fought by libraries results in the need to protect library systems against various types of abuse (see section 1), and the need to guard the confidentiality of their users (Fox, 2006, p.250). Not only hackers and criminals can try to gather confidential data, but also government agencies can do inquiries about library users (Bowers, 2006). The previous section covered the safety of data with respect to accidents and obsolescence, and data preservation policies. Another important issue in libraries is the security of user information, which will be discussed in this section. We will firstly define privacy and confidentiality. Subsequently, we discuss types of privacy issues in the library context, as gathered from the literature. We will also discuss threats to security of user information, trust issues and finally look at security principles regarding user information used by libraries. 127

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Getting a Secure Intranet

Getting a Secure Intranet 61-04-69 Getting a Secure Intranet Stewart S. Miller The Internet and World Wide Web are storehouses of information for many new and legitimate purposes. Unfortunately, they also appeal to people who like

More information

The Hidden Dangers of Public WiFi

The Hidden Dangers of Public WiFi WHITEPAPER: OCTOBER 2014 The Hidden Dangers of Public WiFi 2 EXECUTIVE SUMMARY 4 MARKET DYNAMICS 4 The Promise of Public WiFi 5 The Problem with Public WiFi 6 MARKET BEHAVIOR 6 Most People Do Not Protect

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系 Outline Infosec, COMPUSEC, COMSEC, and Network Security Why do we need Infosec and COMSEC? Security

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS Effective Date June 9, 2014 INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS OF THE HELLER SCHOOL FOR SOCIAL POLICY AND MANAGEMENT Table of Contents 1.

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Pierce County Policy on Computer Use and Information Systems

Pierce County Policy on Computer Use and Information Systems Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail

More information

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...

More information

National Cyber Security Month 2015: Daily Security Awareness Tips

National Cyber Security Month 2015: Daily Security Awareness Tips National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing Service. By Comsec Information Security Consulting Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

KEEPING PATIENT INFORMATION SAFE AND SECURE IN THE CLOUD

KEEPING PATIENT INFORMATION SAFE AND SECURE IN THE CLOUD CASE STUDY Take Cover The costs of exposing or losing patient information can ruin a dental practice. Cloud-based solutions can protect your business and your patients against these threats: Unauthorized

More information

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

IT Security Management 100 Success Secrets

IT Security Management 100 Success Secrets IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management

More information

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

ICTN 4040. Enterprise Database Security Issues and Solutions

ICTN 4040. Enterprise Database Security Issues and Solutions Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

LAW OFFICE SECURITY for Small Firms and Sole Practitioners. Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan

LAW OFFICE SECURITY for Small Firms and Sole Practitioners. Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan LAW OFFICE SECURITY for Small Firms and Sole Practitioners Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan 1. Introduction CONTENTS 2. Security Consciousness Having a Firm Security

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

TYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME. Haya Fetais & Mohammed Shabana. Saint Leo University COM- 510

TYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME. Haya Fetais & Mohammed Shabana. Saint Leo University COM- 510 TYPES, PREVALENCE, AND PREVENTION OF CYBERCRIME Haya Fetais & Mohammed Shabana Saint Leo University COM- 510 November 23, 2014 Introduction Globalization and technological developments have infiltrated

More information

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy 1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines

More information

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

CONSIDERATIONS BEFORE MOVING TO THE CLOUD CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part II By Debbie C. Sasso Principal In part I, we discussed organizational compliance related to information technology and what

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Feedback Ferret. Security Incident Response Plan

Feedback Ferret. Security Incident Response Plan Feedback Ferret Security Incident Response Plan Document Reference Feedback Ferret Security Incident Response Plan Version 3.0 Date Created June 2013 Effective From 20 June 2013 Issued By Feedback Ferret

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST INFORMATION TECHNOLOGY & MANAGEMENT IT Checklist INTRODUCTION A small business is unlikely to have a dedicated IT Department or Help Desk. But all the tasks that a large organization requires of its IT

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

Ethical Applications of New Legal Technology: Conflict Checking, Cloud Computing, Electronic Use & Social Media

Ethical Applications of New Legal Technology: Conflict Checking, Cloud Computing, Electronic Use & Social Media Ethical Applications of New Legal Technology: Conflict Checking, Cloud Computing, Electronic Use & Social Media By Todd C. Scott, VP Risk Management Minnesota Lawyers Mutual Ins. Co. The purpose of a conflicts

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam EXIN Information Security Foundation based on ISO/IEC 27002 Sample Exam Edition June 2016 Copyright 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored

More information

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority

More information

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005 AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT

More information

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004 A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:

More information

Managed Security Services

Managed Security Services Managed Security Services 1 Table of Contents Possible Security Threats 3 ZSL s Security Services Model 4 Managed Security 4 Monitored Security 5 Self- Service Security 5 Professional Services 5 ZSL s

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop

More information

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref: SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers 2012. Your Interactive Guide to the Digital World

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers 2012. Your Interactive Guide to the Digital World Chapter 11 Manage Computing Securely, Safely and Ethically Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Define the term, computer security risks, and briefly

More information

Information Security: A Perspective for Higher Education

Information Security: A Perspective for Higher Education Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose

More information

CYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE

CYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE CYBER SECURITY: NAVIGATING THE THREAT LANDSCAPE WHITE PAPER www.cibecs.com 2 Table of ontents 01 02 03 04 05 EXECUTIVE SUMMARY: CYBER SECURITY MANAGING YOUR ATTACK SURFACE DATA VULNERABILITY 1 THE ENDPOINT

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

Information Security By Bhupendra Ratha, Lecturer School of Library & Information Science D.A.V.V., Indore E-mail:bhu261@gmail.com Outline of Information Security Introduction Impact of information Need

More information

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500 INFO 1500 9. Information Assurance and Security, Protecting Information Resources 11. ecommerce and ebusiness Janeela Maraj Tutorial 9 21/11/2014 9. Information Assurance and Security, Protecting Information

More information

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM Chandramohan Muniraman, Meledath Damodaran, Amanda Ryan University of Houston-Victoria Abstract As in any information management system security

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

4. Identify the security measures provided by Microsoft Office Access. 5. Identify the methods for securing a DBMS on the Web.

4. Identify the security measures provided by Microsoft Office Access. 5. Identify the methods for securing a DBMS on the Web. Topic 8 Database Security LEARNING OUTCOMES When you have completed this Topic you should be able to: 1. Discuss the important of database security to an organisation. 2. Identify the types of threat that

More information

Privacy + Security + Integrity

Privacy + Security + Integrity Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels

More information

Information Security Awareness Training

Information Security Awareness Training Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework

More information

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15. NCS 330 Information Assurance Policies, Ethics and Disaster Recovery NYC University Polices and Standards 4/15/15 Jess Yanarella Table of Contents: Introduction: Part One: Risk Analysis Threats Vulnerabilities

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee Windows Server Security Best Practices Initial Document Created By: 2009 Windows Server Security Best Practices Committee Document Creation Date: August 21, 2009 Revision Revised By: 2014 Windows Server

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

OCR LEVEL 3 CAMBRIDGE TECHNICAL

OCR LEVEL 3 CAMBRIDGE TECHNICAL Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

INFORMATION SECURITY PROGRAM

INFORMATION SECURITY PROGRAM Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security

More information

12. SECURITY. The momentum of cloud computing makes it an enormous and essential requirement to study these factors and arrive at solutions.

12. SECURITY. The momentum of cloud computing makes it an enormous and essential requirement to study these factors and arrive at solutions. 12. SECURITY As promising as it is, cloud computing also faces various security issues, which include access of sensitive data, data segregation, privacy, authentication, identity management, policy integration,

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

AN INFORMATION GOVERNANCE BEST

AN INFORMATION GOVERNANCE BEST SMALL BUSINESS ID THEFT AND FRAUD AN INFORMATION GOVERNANCE BEST PRACTICES GUIDE FOR SMALL BUSINESS IT IS NOT A MATTER OF IF BUT WHEN AN INTRUSION WILL BE ATTEMPTED ON YOUR BUSINESS COMPUTER SYSTEM IN

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

Local Government Cyber Security:

Local Government Cyber Security: Local Government Cyber Security: Guidelines for Backing Up Information A Non-Technical Guide Essential for Elected Officials Administrative Officials Business Managers Multi-State Information Sharing and

More information

OCLC Digital Archive Preservation Policy and Supporting Documentation Last Revised: 8 August 2006

OCLC Digital Archive Preservation Policy and Supporting Documentation Last Revised: 8 August 2006 OCLC Digital Archive Preservation Policy and Supporting Documentation Last Revised: 8 August 2006 OCLC Online Computer Library Center, Inc. Dublin, Ohio 43017-3395 USA 2004, OCLC Online Computer Library

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Stay ahead of insiderthreats with predictive,intelligent security

Stay ahead of insiderthreats with predictive,intelligent security Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent

More information

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Guidelines for Website Security and Security Counter Measures for e-e Governance Project and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online

More information

Security Basics: A Whitepaper

Security Basics: A Whitepaper Security Basics: A Whitepaper Todd Feinman, David Goldman, Ricky Wong and Neil Cooper PricewaterhouseCoopers LLP Resource Protection Services Introduction This paper will provide the reader with an overview

More information

Forrestville Valley School District #221

Forrestville Valley School District #221 Forrestville Valley School District #221 Student Acknowledgment of Receipt of Administrative Procedures for Acceptable Use of the Electronic Network 2015-2016 All use of electronic networks shall be consistent

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control Requirements Cyber Security For Suppliers Categorised as High Cyber Risk Cyber Security Requirement Description Why this is important 1. Asset Protection and System Configuration

More information